Thank you!
Sorry for the delay in responding, here is my dataset:
<dataset>
<name>userAccountControl</name>
<policy>FORCE</policy>
<forceValues>
<string>
var uac =
dstBean.getDatasetFirstValueById('userAccountControl');
if
(srcBean.getDatasetFirstValueById('employeeType') == "Abandoned") {
uac =
AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'),
[AD.UAC_SET_ACCOUNTDISABLE]);
} else {
uac =
AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'),
[AD.UAC_UNSET_ACCOUNTDISABLE]);
}
uac;
</string>
</forceValues>
</dataset>
This works, although I have to run "lsc -f /etc/lsc -s all" twice to get the
desired results. First run adds the user to AD and the second run enables all
users who aren't labeled as "Abandoned". Am I correct in thinking that I
should have this dataset in a separate task to avoid having to run lsc twice?
--- On Mon, 8/27/12, Clément OUDOT <[email protected]> wrote:
From: Clément OUDOT <[email protected]>
Subject: Re: [lsc-users] Setting Users in Active Directory To Disabled
To: "Domenic Silletti" <[email protected]>
Cc: [email protected]
Date: Monday, August 27, 2012, 11:25 AM
2012/8/27 Domenic Silletti <[email protected]>
>
> HI,
> I'm running LSC 2.0 that successfully synchronizes users from openldap to
> Active Directory. I want to be able to set userAccountControl to "0" (the
> account needs to be disabled in Active Directory) based on the value of an
> attribute in openldap. We have "employeeType = Abandoned" in opendlap to
> designate an employee who has left. I need to insert some simple if/then
> logic into my esc.xml file and would like to know if this is possible or not.
Of course it is possible!
In the dataset you created for attribute userAccountControl, write
this kind of script (test it, I write it just as an example):
var uac = dstBean.getDatasetFirstValueById('userAccountControl');
if (srcBean.getDatasetFirstValueById('emplyeeType') == "Abandonned") {
uac = AD.userAccountControlSet(
dstBean.getDatasetFirstValueById('userAccountControl'),
[AD.UAC_SET_ACCOUNTDISABLE]);
} else {
uac = AD.userAccountControlSet(
dstBean.getDatasetFirstValueById('userAccountControl'),
[AD.UAC_UNSET_ACCOUNTDISABLE]);
}
uac;
See
http://lsc-project.org/wiki/documentation/2.0/configuration/syncoptions/activedirectory
for more details.
Clément.
<?xml version="1.0" ?>
<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.0.xsd"; id="1"
revision="0">
<connections>
<ldapConnection>
<name>ldap-src-conn</name>
<url>ldap://old-ldap01:389/ou=trc,ou=jud,dc=state,dc=ma,dc=us</url>
<username>cn=Manager,ou=jud,dc=state,dc=ma,dc=us</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>-1</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
<ldapConnection>
<name>ldap-dst-conn</name>
<url>ldap://bos-trc-ad:389/dc=trc-ad,dc=jud,dc=state,dc=ma,dc=us</url>
<username>cn=Administrator,cn=Users,dc=trc-ad,dc=jud,dc=state,dc=ma,dc=us</username>
<password>password</password>
<authentication>SIMPLE</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
</connections>
<tasks>
<task>
<name>People</name>
<bean>org.lsc.beans.SimpleBean</bean>
<ldapSourceService>
<name>openldap-source-service</name>
<connection reference="ldap-src-conn" />
<baseDn>ou=People,ou=trc,ou=jud,dc=state,dc=ma,dc=us</baseDn>
<pivotAttributes>
<string>uid</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>l</string>
<string>userPassword</string>
<string>uid</string>
<string>mail</string>
<string>givenName</string>
<string>physicalDeliveryOfficeName</string>
<string>title</string>
<string>initials</string>
<string>street</string>
<string>postalCode</string>
<string>st</string>
<string>departmentNumber</string>
<string>employeeType</string>
</fetchedAttributes>
<getAllFilter>(&(uid=*)(objectClass=inetOrgPerson)))</getAllFilter>
<getOneFilter>(&(objectClass=inetorgperson)(uid={uid}))</getOneFilter>
</ldapSourceService>
<ldapDestinationService>
<name>ad-dst-service</name>
<connection reference="ldap-dst-conn" />
<baseDn>ou=People,dc=trc-ad,dc=jud,dc=state,dc=ma,dc=us</baseDn>
<pivotAttributes>
<string>samAccountName</string>
</pivotAttributes>
<fetchedAttributes>
<string>cn</string>
<string>sn</string>
<string>samAccountName</string>
<string>userPrincipalName</string>
<string>objectClass</string>
<string>givenName</string>
<string>physicalDeliveryOfficeName</string>
<string>title</string>
<string>initials</string>
<string>streetAddress</string>
<string>postalCode</string>
<string>st</string>
<string>departmentNumber</string>
<string>uid</string>
<string>employeeType</string>
<string>userAccountControl</string>
</fetchedAttributes>
<getAllFilter>(objectClass=user)</getAllFilter>
<getOneFilter>(&(objectClass=user)(samAccountName={uid}))</getOneFilter>
</ldapDestinationService>
<propertiesBasedSyncOptions>
<mainIdentifier>"cn=" + srcBean.getDatasetFirstValueById("cn") + ",ou=People,dc=trc-ad,dc=jud,dc=state,dc=ma,dc=us"
</mainIdentifier>
<defaultDelimiter>;</defaultDelimiter>
<defaultPolicy>FORCE</defaultPolicy>
<dataset>
<!-- userPrincipalName = uid + "@jud.state.ma.us" -->
<name>userPrincipalName</name>
<policy>FORCE</policy>
<forceValues>
<string>srcBean.getDatasetFirstValueById("uid") + "@jud.state.ma.us"</string>
</forceValues>
</dataset>
<dataset>
<name>samAccountName</name>
<policy>KEEP</policy>
<createValues>
<string>js:srcBean.getDatasetFirstValueById("uid")</string>
</createValues>
</dataset>
<dataset>
<name>streetAddress</name>
<policy>KEEP</policy>
<createValues>
<string>js:srcBean.getDatasetFirstValueById("street")</string>
</createValues>
</dataset>
<dataset>
<name>givenName</name>
<policy>FORCE</policy>
<forceValues>
<string>js:srcBean.getDatasetFirstValueById("givenName")</string>
</forceValues>
</dataset>
<dataset>
<name>userAccountControl</name>
<policy>FORCE</policy>
<forceValues>
<string>
var uac = dstBean.getDatasetFirstValueById('userAccountControl');
if (srcBean.getDatasetFirstValueById('employeeType') == "Abandoned") {
uac = AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'),
[AD.UAC_SET_ACCOUNTDISABLE]);
} else {
uac = AD.userAccountControlSet(dstBean.getDatasetFirstValueById('userAccountControl'),
[AD.UAC_UNSET_ACCOUNTDISABLE]);
}
uac;
</string>
</forceValues>
</dataset>
<dataset>
<name>objectClass</name>
<policy>KEEP</policy>
<createValues>
<string>"top";"person";"organizationalPerson";"user"</string>
</createValues>
</dataset>
</propertiesBasedSyncOptions>
</task>
</tasks>
</lsc>
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
